Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add ACL enforcement to the v1/agent/health/service/* endpoints #7160

Closed
hanshasselberg opened this issue Jan 28, 2020 · 0 comments
Closed

Add ACL enforcement to the v1/agent/health/service/* endpoints #7160

hanshasselberg opened this issue Jan 28, 2020 · 0 comments

Comments

@hanshasselberg
Copy link
Member

hanshasselberg commented Jan 28, 2020

Vulnerability ID: CVE-2020-7955
Release Date: January 29, 2020
Affected Products/Versions: Previous versions of Consul and Consul Enterprise; fixed in 1.6.3.

A low risk vulnerability was identified in Consul and Consul Enterprise (“Consul”) HTTP API such that the endpoints v1/agent/health/service/* did not enforce acl. This vulnerability affects Consul releases 1.4.1 until 1.6.2, and is fixed in 1.6.3

This adds acl enforcement to the two endpoints that were missing it.

Note that in the case of getting a services health by its id, we still must first lookup the service so we still "leak" information about a service with that ID existing. There isn't really a way around it though as ACLs are meant to check service names.

Vulnerability Details

Even with an agent with ACLs enabled and with a default “deny” policy, these endpoints still leak some service and check information. The data leaked looks like:

[
    {
        "AggregatedStatus": "passing",
        "Service": {
            "ID": "web",
            "Service": "web",
            "Tags": [],
            "Meta": {},
            "Port": 1234,
            "Address": "",
            "Weights": {
                "Passing": 1,
                "Warning": 1
            },
            "EnableTagOverride": false,
            "Namespace": "default"
        },
        "Checks": []
    }
]

So in here, we have service names and ids, overall health, ports, any metadata and a list of checks. That list of checks will contain the node name, check name, notes and check output to mention a few things.

The only thing that makes this less bad is that the HTTP API is normally served via localhost (although a user can override that). In that case you would have to be on the machine already in order to figure out the service and check info (which would also be found in the data dir of Consul)

Remediation

Customers should upgrade to Consul or Consul Enterprise 1.6.3, or newer. Please refer to Upgrading Consul for general guidance and version-specific upgrade notes.

@hanshasselberg hanshasselberg changed the title Reserved Issue Number Add ACL enforcement to the v1/agent/health/service/* endpoints Jan 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant